CVE-2026-9517
Deferred Deferred - Pending Action
Improper Access Control in CodeIgniter-StudentManagementSystem

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: VulDB

Description
A vulnerability was determined in hemant6488 CodeIgniter-StudentManagementSystem. The affected element is an unknown function of the file /index.php/students/addStudentView of the component Student Management Handler. Executing a manipulation can lead to improper access controls. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-15
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-9517
EUVD
EUVD-2026-31773
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hemant6488 codeigniter_studentmanagementsystem *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the CodeIgniter-StudentManagementSystem, specifically in the Students.php controller. It allows unauthenticated users to access and manipulate student data without any authentication or authorization checks.

An attacker can remotely access endpoints to view the full list of students, add new students, edit existing records, and delete students without logging in.

The root cause is improper access controls in the Student Management Handler component, particularly in the /index.php/students/addStudentView function.

Impact Analysis

This vulnerability can lead to unauthorized exposure and manipulation of sensitive student data.

  • Attackers can view confidential student records without permission.
  • Attackers can add, modify, or delete student data, potentially corrupting the database.
  • The vulnerability can cause reputational damage to the organization managing the system.
  • It may enable further exploitation if combined with other vulnerabilities like stored XSS or SQL injection.
Detection Guidance

This vulnerability can be detected by attempting to access the affected endpoints without authentication and observing if unauthorized access or manipulation of student data is possible.

For example, using command-line tools like curl to send requests to the vulnerable endpoints can help identify the issue.

  • curl -X GET http://<target>/index.php/students/addStudentView
  • curl -X GET http://<target>/index.php/students (to check if the full list of students is accessible without login)
  • curl -X POST http://<target>/index.php/students/addStudentView -d "<student_data>" (to test if adding students is possible without authentication)
Mitigation Strategies

Immediate mitigation steps include implementing proper authentication and authorization checks on the affected endpoints, especially in the Students.php controller.

Restrict access so that only authenticated and authorized users can view, add, edit, or delete student records.

Additionally, monitor access logs for any suspicious or unauthorized requests to these endpoints.

If possible, temporarily disable or restrict access to the vulnerable endpoints until a proper fix or patch is applied.

Compliance Impact

The vulnerability allows unauthenticated and unauthorized access to student data, including viewing, adding, editing, and deleting records. This improper access control can lead to exposure and manipulation of sensitive personal information.

Such unauthorized access and potential data exposure can violate common data protection standards and regulations like GDPR and HIPAA, which require strict controls over personal and sensitive data to ensure confidentiality, integrity, and proper authorization.

Therefore, exploitation of this vulnerability could result in non-compliance with these regulations, leading to legal, financial, and reputational consequences for organizations using the affected system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9517. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart